Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
Form Based Authentication 1.0.0
-
None
Description
There is a nice feature of Cookie support in browsers today, which prevents cookies from being accessed in client side Javascript: "HttpOnly". This makes using cookies almost as save as HTTP Basic Authentication from the POV of accessing the data from client-side JavaScript.
The cookie(s) produced by the Form Authentication Handler should be protected using this attribute.
The drawback is, that the Set-Cookie response header must be created manually because the Servlet API Cookie class up to and including 2.5 does not support setting this attribute (Servlet API 3.0 Cookie supports it, but we don't support Servlet API 3.0)
See http://www.owasp.org/index.php/HttpOnly for full details and http://www.browserscope.org/?category=security for up to date browser support information.